ollama-agent-router 0.1.7 → 0.1.8

package/README.md

@@ -94,6 +94,8 @@ Start with:
 ollama-agent-router serve --config examples/gex44.yaml
 ```
 
+`examples/gex44-secured.yaml` is the same hardware profile with the standalone plane locked down: API key required, anonymous access rejected, per-key rate limits, and the admin plane enabled on localhost. Use it as a starting point when the router is exposed beyond a single user or process.
+
 ## Config Reference
 
 Lookup order:
@@ -252,17 +254,22 @@ This prevents the admin API from changing the rules that protect itself. When `a
 
 Admin API:
 
+**Read the current managed access config**
+
 ```bash
 curl http://127.0.0.1:11435/v1/admin/access/config \
   -H 'authorization: Bearer admin-secret'
+```
+
+**Replace the entire managed access config** (planes + all keys at once)
 
+```bash
 curl -X PUT http://127.0.0.1:11435/v1/admin/access/config \
   -H 'authorization: Bearer admin-secret' \
   -H 'content-type: application/json' \
   -d '{
     "expectedVersion": 1,
     "config": {
-      "version": 1,
       "planes": {
         "standalone": {
           "enabled": true,
@@ -280,7 +287,51 @@ curl -X PUT http://127.0.0.1:11435/v1/admin/access/config \
   }'
 ```
 
-The admin `PUT` supports optimistic concurrency. If `expectedVersion` is present and does not match the active managed access config, the router returns `409`.
+`expectedVersion` enables optimistic concurrency. If present and the value does not match the active managed config version, the router returns `409`.
+
+**Add an API key**
+
+Generate a key and its SHA-256 hash first:
+
+```bash
+node -e "
+const c = require('crypto'), k = 'onr-' + c.randomBytes(20).toString('hex');
+console.log('key: ', k);
+console.log('hash: sha256:' + c.createHash('sha256').update(k).digest('hex'));
+"
+```
+
+Then add the key:
+
+```bash
+curl -X POST http://127.0.0.1:11435/v1/admin/access/keys \
+  -H 'authorization: Bearer admin-secret' \
+  -H 'content-type: application/json' \
+  -d '{
+    "id": "user-alice",
+    "name": "Alice",
+    "keyHash": "sha256:<hash>",
+    "scopes": ["standalone"],
+    "limits": {
+      "standalone": {"requests": 100, "windowSeconds": 60}
+    }
+  }'
+```
+
+Returns `201` with the created key entry. Returns `409` if the `id` is already in use.
+
+`scopes` controls which planes accept the key. Valid values are `standalone`, `runtimeAgent`, or both. `limits` is optional; when omitted, the plane's `defaultLimit` applies.
+
+**Revoke an API key**
+
+```bash
+curl -X DELETE http://127.0.0.1:11435/v1/admin/access/keys/user-alice \
+  -H 'authorization: Bearer admin-secret'
+```
+
+Returns `200 { "revoked": { ... } }` with the removed key entry. Returns `404` if the id is not found. The change takes effect immediately without a restart.
+
+All admin operations are written atomically to `access.managedConfigPath` and appended to the audit log when `auditLog: true`.
 
 For admin client certificate checks, enable HTTPS, configure `server.https.caPath`, and set:
 

package/dist/cli.js

@@ -44,6 +44,17 @@ var protectedPlaneConfigSchema = z.object({
   }).default({ requireApiKey: false, anonymous: "allow" }),
   defaultLimit: trafficLimitSchema.optional()
 });
+var apiKeySchema = z.object({
+  id: z.string().min(1).regex(/^[a-zA-Z0-9._:-]+$/, "api key id may contain only letters, numbers, dots, underscores, colons, and dashes"),
+  name: z.string().min(1).optional(),
+  keyHash: z.string().regex(/^sha256:[a-fA-F0-9]{64}$/, "keyHash must use sha256:<64 hex chars>"),
+  enabled: z.boolean().default(true),
+  scopes: z.array(z.enum(["standalone", "runtimeAgent"])).min(1),
+  limits: z.object({
+    standalone: trafficLimitSchema.optional(),
+    runtimeAgent: trafficLimitSchema.optional()
+  }).optional()
+});
 var managedAccessConfigSchema = z.object({
   version: z.number().int().nonnegative().default(1),
   updatedAt: z.string().datetime().optional(),
@@ -60,19 +71,7 @@ var managedAccessConfigSchema = z.object({
     standalone: { enabled: true, auth: { requireApiKey: false, anonymous: "allow" } },
     runtimeAgent: { enabled: true, auth: { requireApiKey: false, anonymous: "allow" } }
   }),
-  apiKeys: z.array(
-    z.object({
-      id: z.string().min(1).regex(/^[a-zA-Z0-9._:-]+$/, "api key id may contain only letters, numbers, dots, underscores, colons, and dashes"),
-      name: z.string().min(1).optional(),
-      keyHash: z.string().regex(/^sha256:[a-fA-F0-9]{64}$/, "keyHash must use sha256:<64 hex chars>"),
-      enabled: z.boolean().default(true),
-      scopes: z.array(z.enum(["standalone", "runtimeAgent"])).min(1),
-      limits: z.object({
-        standalone: trafficLimitSchema.optional(),
-        runtimeAgent: trafficLimitSchema.optional()
-      }).optional()
-    })
-  ).default([])
+  apiKeys: z.array(apiKeySchema).default([])
 });
 var defaultManagedAccessConfig = managedAccessConfigSchema.parse({});
 var adminPlaneConfigSchema = z.object({
@@ -1652,6 +1651,51 @@ var AccessControlStore = class {
     });
     return structuredClone(updated);
   }
+  async addApiKey(input2) {
+    const key = apiKeySchema.parse(input2);
+    await this.enqueueWrite(async () => {
+      if (this.managed.apiKeys.some((k) => k.id === key.id)) {
+        throw new AccessHttpError(409, `API key with id '${key.id}' already exists`);
+      }
+      if (!this.access.managedConfigPath) {
+        throw new AccessHttpError(500, "access.managedConfigPath is not configured");
+      }
+      const next = {
+        ...this.managed,
+        version: this.managed.version + 1,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        apiKeys: [...this.managed.apiKeys, key]
+      };
+      await writeManagedAccessConfig(this.access.managedConfigPath, next);
+      this.managed = next;
+      this.access.managed = next;
+    });
+    return structuredClone(key);
+  }
+  async revokeApiKey(id) {
+    let removed;
+    await this.enqueueWrite(async () => {
+      const idx = this.managed.apiKeys.findIndex((k) => k.id === id);
+      if (idx === -1) {
+        throw new AccessHttpError(404, `API key '${id}' not found`);
+      }
+      if (!this.access.managedConfigPath) {
+        throw new AccessHttpError(500, "access.managedConfigPath is not configured");
+      }
+      removed = this.managed.apiKeys[idx];
+      const next = {
+        ...this.managed,
+        version: this.managed.version + 1,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        apiKeys: this.managed.apiKeys.filter((_, i) => i !== idx)
+      };
+      await writeManagedAccessConfig(this.access.managedConfigPath, next);
+      this.managed = next;
+      this.access.managed = next;
+      this.limiter.clear();
+    });
+    return structuredClone(removed);
+  }
   publicMiddleware(planeOrPlanes) {
     return (req, res, next) => {
       const planes = Array.isArray(planeOrPlanes) ? planeOrPlanes : [planeOrPlanes];
@@ -1962,6 +2006,26 @@ function createApp(config, deps) {
       next(error);
     }
   });
+  api.post("/v1/admin/access/keys", adminAccess, async (req, res, next) => {
+    try {
+      const key = await access3.addApiKey(req.body);
+      auditAdmin(config.access.admin, req, "success", "key_added", res.locals.admin?.remoteIp, key.id);
+      res.status(201).json(key);
+    } catch (error) {
+      auditAdmin(config.access.admin, req, "failure", error instanceof Error ? error.message : String(error), res.locals.admin?.remoteIp);
+      next(error);
+    }
+  });
+  api.delete("/v1/admin/access/keys/:id", adminAccess, async (req, res, next) => {
+    try {
+      const revoked = await access3.revokeApiKey(req.params.id);
+      auditAdmin(config.access.admin, req, "success", "key_revoked", res.locals.admin?.remoteIp, revoked.id);
+      res.json({ revoked });
+    } catch (error) {
+      auditAdmin(config.access.admin, req, "failure", error instanceof Error ? error.message : String(error), res.locals.admin?.remoteIp);
+      next(error);
+    }
+  });
   api.get("/v1/router/capabilities", runtimeAgentAccess, (_req, res) => {
     res.json(buildCapabilities(config));
   });